Most of security guide say that Use of Hard-coded Cryptographic Key is dangerous because if cryptographic key in code is leaked to hacker, hacker can read encoding data used crypto algothrim (e.g. AES256) so guide say that developer have to store cryptographic key outside source code. (like below pitcure)
but, i wonder it is safe that store cryptographic key outside source code? let's suppose that cryptographic key is leaked to hacker, that mean hacker have got entire project source code because thare are no other way that can know cryptographic key in source code. therefore although developer store cryptographic key in outside sourcode, it is dangerous
so my question is that in web proejct is there any means of knowing cryptographic key stored in source code except way which get entire project source code?
In a web project, assuming I'm understanding what you're saying correctly, all of your code is private. You only output what you tell your server to output, and source code is inaccessible... unless someone really doesn't know what they're doing. Just make sure to use HTTPS to secure your cleint side, otherwise the whole World Wide Web could find out too.
Using a disassembler, most of your unique strings in any application are up for grabs. So are files, the best I know. Certificate pinning sounds close to what you're talking about, and I have modified a Snapchat APK to accept my certificate authority so I could perform a MITM on it. Trusting the CA on my phone wasn't enough, because the app had a not-so-easily defeated security feature. It only really works when either a.) a user wants to decrypt their own data, or b.) someone has way too much access to their phone.
This may be slightly outside of scope, but a good way to protect system function on the server side from abuse by your clients is to write an API for them to control their input precisely. Just food for thought.
